Proceedings »
deRop: Removing Return-Oriented Programming from Malware
Final 268KB | Presentation 748KB |
Kangjie Lu
Peking University, Singapore Management University
China
Dabi Zou
Singapore Management University
Singapore
Weiping Wen
Peking University
China
Debin Gao
Singapore Management University
Singapore
Abstract:
Over the last few years, malware analysis has been one of the hottest areas in security research. Many techniques and tools have been developed to assist in automatic analysis of malware. This ranges from basic tools like disassemblers and decompilers, to static and dynamic tools that analyze mal- ware behaviors, to automatic malware clustering and clas- sification techniques, to virtualization technologies to assist malware analysis, to signature- and anomaly-based malware detection, and many others. However, most of these tech- niques and tools would not work on new attacking tech- niques, e.g., attacks that use return-oriented programming (ROP).
In this paper, we look into the possibility of enabling ex- isting defense technologies designed for normal malware to cope with malware using return-oriented programming. We discuss difficulties in removing ROP from malware, and de- sign and implement an automatic converter, called deRop, that converts an ROP exploit into shellcode that is semanti- cally equivalent with the original ROP exploit but does not use ROP, which could then be analyzed by existing malware defense technologies. We apply deRop on four real ROP malwares and demonstrate success in using deRop for the automatic conversion. We further discuss applicability and limitations of deRop.